Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall - Roadmap?

Hej,

is there a roadmap for the XGs for the next major versions and the planned functions?

Thanks.



This thread was automatically locked due to age.
Parents
  • Forgot to put a follow up/bump here, on the road to XGv18 in two years.

    SFOS 17.1.3 MR-3 released these days. Bug fix mostly.

    Paul Jr

  • Hey Paul,

    V17.5.b is supposed to be due this week.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • support says v17.5 is scheduled for November

  • Then what are the changes in 17.5? In the last roadmap I have seen there were 17.2, 17.3 and 18, no 17.5.

    With best regards,

    Steppenwolf

  • Hi Steppenwolf!

    17.5 beta should be already available in October.

    Quick overview of the key new features in v17.5:

    • Sophos Central Management of XG Firewall with new features for backup and firmware management, as well as a new zero-touch deployment option
    • Synchronized Security features including Lateral Movement Protection to prevent threats from spreading on the same network segment and Synchronized User ID to eliminate the need to integrate with Active Directory for user identification
    • Wireless APX access point support offers support for the new Wave 2 access points, providing faster connectivity and added scalability (and will come shortly following the main v17.5 release in MR1)
    • Education features such as policy-based control over SafeSearch and YouTube restrictions, block-page overrides, and Chromebook authentication support
    • Email features with Sender Policy Framework (SPF) anti-spoofing protection and a new MTA based on Exim which closes a couple of top requested feature differences with SG UTM
    • IPS protection is enhanced with the Cisco Talos IPS pattern library and more granular categories
    • Management enhancements including enhanced firewall rule grouping with automatic group assignment and a custom column selection for the log viewer
    • VPN and SD-WAN failover and failback including new IPSec failover and failback controls and SD-WAN link failback options
    • Client authentication gets a major update with a variety of new enhancements, such as per-machine deployment, a logout option, support for wake from sleep, and MAC address sharing
    • Airgap support enables XG Firewall to be updated via USB in situations where XG Firewall can’t get updates automatically via an internet connection due to an “airgap” or physical isolation (coming shortly following the main v17.5 release in a MR)
    • Sophos Connect IPSec VPN client, free for all XG Firewall customers, that makes remote VPN easy for end users (not part of v17.5 but being made available at the same time for early access)
  • Hi,

    were is v17.5.b hiding?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Never heard of 17.5.b unless someone in marketing invented the term.

    In short, the originally planned 17.2 and 17.3 with lists of features have been replaced with 17.5 and the list of features above.

    Also see community.sophos.com/.../xg-firewall-v17-5-is-coming-soon where they mention "We are expecting the beta to be available in the coming days".

     

  • v17.5.b is the beta version of v17.5 to give it a name.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Sorry to hear the UTM/EXIM is the point of comparison for mail filtering, since UTM/EXIM:

    • is unable to examine the From header (the one that the user sees), so it cannot block forged values in this header (one common complaint is the inability to block From domain=receipient doman)
    • is unable to do filtering based on server name (whether Reverse DNS, Forward-Confirmed Reverse DNS, or Forward-confirmed DNS of HELO/EHLO name),
    • cannot check or enforce sender DMARC policy checking,
    • cannot export a message log into CSV, Excel, or any other usable format.

    Email filtering seems like the weakest component in UTM, so if XG is reaching up to meet UTM, it is reaching up to a pretty low goal.

Reply
  • Sorry to hear the UTM/EXIM is the point of comparison for mail filtering, since UTM/EXIM:

    • is unable to examine the From header (the one that the user sees), so it cannot block forged values in this header (one common complaint is the inability to block From domain=receipient doman)
    • is unable to do filtering based on server name (whether Reverse DNS, Forward-Confirmed Reverse DNS, or Forward-confirmed DNS of HELO/EHLO name),
    • cannot check or enforce sender DMARC policy checking,
    • cannot export a message log into CSV, Excel, or any other usable format.

    Email filtering seems like the weakest component in UTM, so if XG is reaching up to meet UTM, it is reaching up to a pretty low goal.

Children
  • Hello

    Is it still the same with EXIM version 4.91 ? Those first three items are deal killers for me.  I read that DKIM can be implemented on EXIM by calling external services.  Same for anti-spam et.c.  I do not know yet how EXIM was implement on XG.  Possibly it was done by Sophos already ...

    Paul Jr 

  • No one has rebuked me yet...  

    I would be hapoy to be wrong, or to be the motivation to implement features that should have been in place 10 years sgo.

  • Well ... Let's start :) !!!

    This guy here: https://forum.directadmin.com/showthread.php?t=55929 as somewhat integrated EXIM with OpenDMARC.

    I haven't checked yet, but maybe we have something equivalent in XG now in v17.5.

     

    Paul Jr

  • Currently, I am a UTM user, but I bounce over to the XG group occasionally to see if a migration would be worth the pain.   

    I read the EXIM documentation to see if I could do something under the covers to improve on the UTM SPAM filter, which is where I realized that EXIM did not examine the FROM header at all.   That exercise was at least a year ago, so it is possible that the situation may change in a newer release.  EXIM has a couple of technologies for writing filter definitions.   It may be possible to create Reverse DNS filters using the EXIM filter mechanisms, but I could not easily see where these files existed inside UTM.   If I had found them, I assumed that the UTM interface would overwrite them, and I knew that any under-the-cover manipulation would make my device unsupportable, so I gave up.   

    I already had another product that is my primary mail filter so we have kept it going.   UTM/EXIM provides a second look which captures some things that the primary device misses.

    Sophos Email Appliance appears to be Sophos' flagship mail product.   It does DMARC enforcement, but does not have Reverse DNS filtering, so I was underwhelmed.

    I have been looking for a product that does everything that I think a minimally-acceptable mail product should do.   So far, the solution will cost about 8 times what I am paying now for my primary mail device.  I do not think I can sell that expense up the management chain.   So I am still looking. 

  • Hello

    I have stopped using Sophos Mail Gateway , I also stopped using XG mail gateway, and turned back to Symantec Mail Gateway (Brigthmail).

    1. Took Sophos too long to upgrade to SMBv2.
    2. Far more easier to use.  By that, I also mean far more intuitive.
    3. Complete reporting.  And all features required for a mail appliance running for a Bank !!!
    4. Around $CAN 15 per user for the appliance "Only" licence.  Cheaper if you combine with EndPoint Protection.
    5. For some incomprehensible reasons, "Symantec Enterprise" license do not exist anymore.
    6. I also tested Spam Titan, but in 2018, it had too much false alarms.  It was rock solid before ...

    My renewal with Sophos is in few months.  At this moment, I intend to swap back endpoint protections to Symantec.  Sophos SEC installation is way too complicated.  Ports here, ports there, password here, password there, users here, users there, folder permissions here, folder permissions there.  It never ends.  And unexisting uninstall.  Yes, Uninstall is manual.  And maintenance requires way too much interventions.  For XG, I am not fixed yet. But if things progress this year as slow as it was last year, I will migrate to a more common and streamline product as well.  XG as it is, is too unintuitive and requires way too much care.

    Paul Jr

  • Man, With all the people thinking about leaving XG, I wonder if Sophos is actually selling more than people leaving. 

  • Not really - the XG is getting to be a great product. Sure it has shortcomings but in general it does what we want.

    Not a fan of XG for Mail Scanning or controlling my WiFi but web policies, Firewall, Authentications, VPNs etc its quite stable (now)

     

    In the late v16s firmware I was ready to chuck it out and get something that worked. I have since bought an XG450....

     

    Sophos XG 450 (SFOS 18.5.1 MR-1)

    Sophos R.E.D 50 x 2

    Always configuring new stuff.....

  • I agree it is getting to be a great product, but even today it is still missing some fundamental pieces to make it equal to the UTM.

    Just today I was putting together a quote, and couldn't use the XG because it is missing a proper DHCP, DNS & NTP server, a to name a few modules which are in dire need of updating.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • The following informations about upcoming releases have reached me via Newsletter.

    Last week we released MR1 for XG Firewall, which contains a couple of important fixes for the Early Access Program (EAP) for Central Management of XG Firewall.

    The next MR to be released to all customers will come on February 10 with much anticipated support for our new APX Wireless Access Points and Airgap Support. Expect more news and information on that as we get closer to launch day. This maintenance release will be called MR3.

    Then we expect another Maintenance Release in early March (MR4), with additional features like Encrypted Backups and Backup Management from Sophos Central.

    In Summary:

    • MR1 – Central Management EAP Fixes – Available Now
    • MR3 – APX and Airgap Support – February 10
    • MR4 – Backup Features - March

    If you have any questions about the updates, please contact your Sophos representative for more information.

    Please send me Spam gueselkuebel@sg-utm.also-solutions.ch

  • Hello

    Any development on what's coming in March ? I mean, is there anything more covered than just Backup ?

    Paul Jr